Changeset 1601 for trunk


Ignore:
Timestamp:
Aug 21, 2010, 4:03:13 AM (12 years ago)
Author:
geofft
Message:
admof: Re-resolve the potential sysadmin's name within SYSADMIN_CELL

While it's true that foreign cells will generally resolve the username to e.g.
geofft.root@athena.mit.edu, which the athena cell ptservers are okay with, it's
more correct to just use the name as resolved in the athena cell.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/common/oursrc/accountadm/admof.c

    r1600 r1601  
    9696}
    9797
     98/* Resolve a Kerberos principal to a name usable by the AFS PTS. */
     99void
     100resolve_principal(const char *name, const char *cell, char *user)
     101{
     102    /* Figure out the cell's realm. */
     103    krb5_context context;
     104    krb5_init_context(&context);
     105
     106    char **realm_list;
     107    if (krb5_get_host_realm(context, cell, &realm_list) != 0 ||
     108        realm_list[0] == NULL)
     109        die("internal error: krb5_get_host_realm failed");
     110
     111    /* Convert the Kerberos 5 principal into a (Kerberos IV-style) AFS
     112       name, omitting the realm if it equals the cell's realm. */
     113    krb5_principal principal;
     114    if (krb5_parse_name(context, name, &principal) != 0)
     115        die("internal error: krb5_parse_name failed");
     116    char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
     117    if (krb5_524_conv_principal(context, principal, pname, pinst, prealm) != 0)
     118        die("internal error: krb5_524_conv_principal failed\n");
     119    if (kname_unparse(user, pname, pinst,
     120                      strcmp(prealm, realm_list[0]) == 0 ? NULL : prealm) != 0)
     121        die("internal error: kname_unparse failed\n");
     122
     123    krb5_free_principal(context, principal);
     124    krb5_free_host_realm(context, realm_list);
     125    krb5_free_context(context);
     126
     127    /* Instead of canonicalizing the name as below, we just use
     128       strcasecmp above. */
     129#if 0
     130    afs_int32 id;
     131    if (pr_SNameToId((char *)user, &id) != 0)
     132        die("bad principal\n");
     133    if (id == ANONYMOUSID)
     134        die("anonymous\n");
     135    if (pr_SIdToName(id, user) != 0)
     136        die("internal error: pr_SIdToName failed\n");
     137#endif
     138}
     139
    98140int
    99141main(int argc, const char *argv[])
     
    186228    afsconf_Close(configdir);
    187229
    188     /* Figure out the cell's realm. */
    189     krb5_context context;
    190     krb5_init_context(&context);
    191 
    192     char **realm_list;
    193     if (krb5_get_host_realm(context, cellconfig.hostName[0], &realm_list) != 0 ||
    194         realm_list[0] == NULL)
    195         die("internal error: krb5_get_host_realm failed");
    196 
    197     /* Convert the Kerberos 5 principal into a (Kerberos IV-style) AFS
    198        name, omitting the realm if it equals the cell's realm. */
    199     krb5_principal principal;
    200     if (krb5_parse_name(context, name, &principal) != 0)
    201         die("internal error: krb5_parse_name failed");
    202     char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
    203     if (krb5_524_conv_principal(context, principal, pname, pinst, prealm) != 0)
    204         die("internal error: krb5_524_conv_principal failed\n");
    205230    char user[MAX(PR_MAXNAMELEN, MAX_K_NAME_SZ)];
    206     if (kname_unparse(user, pname, pinst,
    207                       strcmp(prealm, realm_list[0]) == 0 ? NULL : prealm) != 0)
    208         die("internal error: kname_unparse failed\n");
    209 
    210     krb5_free_principal(context, principal);
    211     krb5_free_host_realm(context, realm_list);
    212     krb5_free_context(context);
    213 
    214     /* Instead of canonicalizing the name as below, we just use
    215        strcasecmp above. */
    216 #if 0
    217     afs_int32 id;
    218     if (pr_SNameToId((char *)user, &id) != 0)
    219         die("bad principal\n");
    220     if (id == ANONYMOUSID)
    221         die("anonymous\n");
    222     if (pr_SIdToName(id, user) != 0)
    223         die("internal error: pr_SIdToName failed\n");
    224 #endif
     231    resolve_principal(name, cellconfig.hostName[0], user);
    225232
    226233    /* Read the locker ACL. */
     
    250257        char sysadmins[] = SYSADMINS, sysadmin_cell[] = SYSADMIN_CELL;
    251258        if (pr_Initialize(secLevel, (char *)AFSDIR_CLIENT_ETC_DIRPATH, sysadmin_cell) == 0) {
     259            resolve_principal(name, sysadmin_cell, user);
    252260            if (ismember(user, sysadmins)) {
    253261                openlog("admof", 0, LOG_AUTHPRIV);
Note: See TracChangeset for help on using the changeset viewer.